CVE-2026-45675 HIGH

CVE-2026-45675: Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Vendor Open-Webui

Product open-webui

Weakness CWE-269

Published May 15, 2026

Last update May 19, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, line 663) was explicitly patched to prevent this race with the comment "Insert with default role first to avoid TOCTOU race", but the LDAP and OAuth code paths were never updated with the same fix. This vulnerability is fixed in 0.9.0.

Key dates

02Disclosure timeline

May 15, 2026 CVE published

May 19, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-45675

Related vulnerabilities

CVE-2026-45675: Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

01Description

02Disclosure timeline

03References

04Related CVE